New to Windows 7 is the ability to fine tune User Account Control (UAC), the infamously chatty feature introduced in Windows Vista to improve security.

As the Windows operating system cannot differentiate between a user clicking a button and a program clicking a button, UAC was initially implemented to always prompt the user via a dialog shown in the Secure Desktop, similar to the login screen.

Windows 7, however, now ships with UAC configured to hide prompts when users change Windows settings. While this mode still ensures normal applications can’t overwrite your entire registry hive, Microsoft made a boo-boo in allowing users to change any Windows setting without any prompts. Yes, you can even change UAC settings, allow applications free reign in elevated mode (after the required restart).

To quickly demonstrate how easy it is to automate the disabling of UAC, I wrote some sloppy VBScript code (rename to .vbs), the kind you see in malware on P2P networks, using a combination of the SendKeys, Sleep and Run methods to automate the remote control of the UAC control panel applet and reboot of the system. A more enterprising piece of malware could, of course, move the UAC dialog off-screen, and/or install malware into the startup folder.

An obvious fix for this “issue” would be to force the adjustment of UAC parameters to be confirmed by a human. Until Microsoft addresses this “issue”, you can set UAC to its highest mode to kill any concerns you may have… but you’re not using this in a production environment anyway – right?